MakeCert.exe
tool, which allows to create a self-signed security. This joyride is function of the Microsoft .NET Framework SDK and Microsoft Windows SDK. On modern Windows versions ( Windows 10/8.1 and Windows Server 2019/2016/2012R2 ) you can create a self-signed certificate using built-in PowerShell cmdlet New-SelfSignedCertificate
without using extra tools .
Using the New-SelfSignedCertificate PowerShell Cmdlet to Create a Self-Signed Certificate
To create a self-signed certificate with PowerShell, you can use the New-SelfSignedCertificate cmdlet, which is a part of PoSh PKI ( Public Key Infrastructure ) module :
To list all available cmdlets in the PKI module, run the command .
Get-Command -Module PKI
It is recommended to use self-signed certificates for testing purposes or to provide certificates for home Intranet services ( IIS, Exchange, Web Application Proxy, LDAPS, ADRMS, DirectAccess, etc. ) if you can not deploy PKI/CA infrastructure or buy a believe certificate from an external provider .
Tip. Don’t forget that you can easily get a free SSL certificate from Let’s Encrypt. Here’s an example of how to issue the Let’s Encrypt SSL certificate and . Don ’ t forget that you can easily get a rid SSL security from Let ’ s Encrypt. here ’ s an example of how to issue the Let ’ s Encrypt SSL certificate and bind it to the IIS locate on Windows Server To create a security, you have to specify the values of –DnsName ( name of a waiter, the diagnose may be arbitrary and different from localhost name ) and -CertStoreLocation ( a local anesthetic certificate store in which the generated security will be placed ). You can use the cmdlet to create a self-signed certificate on Windows 10 ( in this exercise ), Windows 8.1 and Windows Server 2019/2016/ 2012 R2 /2012 .
To create a new SSL certificate ( of the default SSLServerAuthentication type ) for the DNS name test.contoso.com ( use a FQDN name ) and identify it to the list of personal certificates on a computer, run the follow command :
New-SelfSignedCertificate -DnsName test.contoso.com -CertStoreLocation cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- 2175A76B10F843676951965F52A718F635FFA043 CN=test.contoso.com
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)
If you run this command in non-elevated PowerShell session ( without local anesthetic admin permissions ), an error appears : If you have specified non-standard cryptanalytic provider ( CSP ), for example, using the -KeyAlgorithm "ECDSA_secP256r1" -Provider "Microsoft Smart Card Key Storage Provider"
parameters, make sure it is installed on your computer ( the default is Microsoft Enhanced Cryptographic Provider CSP ). Otherwise, an erroneousness will appear :
New-SelfSignedCertificate: CertEnroll::CX509Enrollment::_CreateRequest: Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF).
This command creates a raw certificate and imports it in the calculator ’ randomness personal certificate storehouse. Open the certlm.msc MMC snap-in, make certain that a fresh security appears in the Personal segment of the security storehouse .
By default option, a self-signed certificate is generated with the be settings :
- Cryptographic algorithm: RSA;
- Key length: 2048 bit;
- Acceptable key usage: Client Authentication and Server Authentication;
- The certificate can be used for: Digital Signature, Key Encipherment;
- Certificate validity period: 1 year.
As you can see, the security properties indicate that this security can be used for Client Authentication, but it is besides valid for Server Authentication .
Using the Get-ChildItem cmdlet, you can display all the parameters of the created certificate by its thumbprint :
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object Thumbprint -eq 2175A76B10F843676951965F52A718F635FFA043 | Select-Object *
PSPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\My\2175A76B10F843676951965F52A718F635FFA043 PSParentPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\My PSChildName : 2175A76B10F843676951965F52A718F635FFA043 PSDrive : Cert PSProvider : Microsoft.PowerShell.Security\Certificate PSIsContainer : False EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)} DnsNameList : {test.contoso.com} SendAsTrustedIssuer : False EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty PolicyId : Archived : False Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} FriendlyName : IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 05/11/2021 06:19:42 NotBefore : 05/11/2020 05:59:42 HasPrivateKey : True PrivateKey : PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {48, 130, 3, 45...} SerialNumber : 6797F5E3F870478D4D3798BEB291DBF3 SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : 2175A76B10F843676951965F52A718F635FFA043 Version : 3 Handle : 2834444631568 Issuer : CN=test.contoso.com Subject : CN=test.contoso.com
Note. Such a self-signed certificate will expire in 1 year from the date of its creation. You can set a different certificate validity period using the –NotAfter option. For example, you can issue an SSL/TLS certificate with a three-year validity period with the following commands:
. Such a self-signed certificate will expire in 1 year from the date of its creation. You can set a different certificate cogency period using theoption. For case, you can issue an SSL/TLS security with a three-year validity period with the surveil commands : $todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname test.contoso.com -notafter $3years -CertStoreLocation cert:\LocalMachine\My
You can create a certificate chain. First, a ancestor security ( CA ) is created, and based on it, an SSL server certificate is generated :
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "test2.contoso.com" -Signer $rootCert -KeyUsage KeyEncipherment,DigitalSignature
In order to export the generate certificate with a private key to a password-protected PFX file, you need to specify its Thumbprint. It can be copied from the results of New-SelfSignedCertificate command. You besides need to specify the certificate security password and convert it to SecureString format :
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword
The certificate populace key can be exported as follows :
Read more: Apollo for Reddit
Export-Certificate -Cert Cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
Make sure the *.cer ( PFX ) certificate file appears in the intend directory. If you right-click it and select the “ Install Certificate ” menu detail, you can use the Certificate Import Wizard to add the certificate to the believe solution certificates on your calculator .
blue-ribbon Cert Store placement – > Local Machine, Place all certificates in the follow store – > Trusted Root Certification Authorities .
You can create a security and immediately import it into the Trusted Root Certificate store of the computer using the commands :
$SelfSignCert=New-SelfSignedCertificate …..
$certFile = Export-Certificate -Cert $SelfSignCert -FilePath C:\ps\export-certname.cer
Import-Certificate -CertStoreLocation Cert:\LocalMachine\AuthRoot -FilePath $certFile.FullName
This public key or the certificate file itself can be deployed to all computers and servers in the Active Directory sphere using GPO ( How to deploy certificates on domain computers using GPO ? ) .
Create a Self-Signed Certificate with Subject Alternative Names
One of the useful features of New-SelfSignedCertificate cmdlet is the ability to create a security with respective different names, Subject Alternative Names (SAN) .
Note. The Makecert.exe
tool, unlike the New-SelfSignedCertificate cmdlet, can not generate SAN and Wildcard certificates .
If you want to create a certificate with multiple names, the first mention of the DnsName parameter will be used as the CN ( Common Name ) of the security. For example, let ’ s create a self-signed SAN certificate with the surveil names :
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): web_gw.contoso.com
- Subject Alternative Name (DNS): enterprise_reg.contoso.com
The command for creating a certificate will look like this :
New-SelfSignedCertificate -DnsName adfs1.contoso.com,web_gw.contoso.com,enterprise_reg.contoso.com -CertStoreLocation cert:\LocalMachine\My
besides, you can besides generate a wildcard certificate for the integral domain namespace. To do it, specify *.contoso.com as a server name .
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.contoso.com
Generate a Self-Signed Certificate for Code Signing on Windows
In PoweShell 3.0, the New-SelfSifgnedCertificate cmdlet merely generates SSL certificates that can not be used to sign the driver, application or script code ( unlike certificates generated by the MakeCert utility ) .
In PowerShell translation 5.0 and former, a newfangled version of the New-SelfSifgnedCertificate cmdlet can now be used to issue Code Signing certificates .
To create a self-signed application code signing certificate, run the command :
$cert = New-SelfSignedCertificate -Subject "My Code Signing Certificate” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
now you can sign your PowerShell Script with a self-signed certificate :
Set-AuthenticodeSignature -FilePath C:\PS\my_posh_script.ps1 -Certificate $cert
If you are receiving an UnknownError warn when executing the command, this means that the security is not trusted, because it is located in the drug user ’ s personal certificates store .
You need to move it to the Trusted Root Certificate store ( preceptor ’ triiodothyronine forget to sporadically scan the Windows security settle store for untrusted and leery certificates and update the lists of hope root certificates ) .
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
After that, you can sign your PowerShell script with this self-signed certificate .
Using SHA-256 Self-Signed SSL Certificate in IIS on Windows Server IIS
Please note that when creating a self-signed certificate for IIS through the Internet Information Manager cabinet ( Create Self-Signed Certificate action menu detail ), an SSL security is created using the SHA-1 encoding algorithm. such certificates are considered untrusted by many browsers and can not be used to establish a dependable joining ( or you may see early SSL errors ). The New-SelfSignedCertificate cmdlet allows you to create a more democratic type of security using the SHA-256 encoding algorithm .
You can bind a self-signed SHA-256 certificate generated with PowerShell to an IIS web site on Windows Server. If you create an SSL security using PowerShell and put it in the computer ’ sulfur certificate store, it will mechanically be available to IIS sites .
Read more: Download XAMPP for Windows – Free – 8.1.0
Start the IIS Manager comfort, select your web site, and then in the Site Binding options, select the certificate you created and save your changes .